I apologize if this is an unusual topic but I would like to know what this expert community thinks about this issue:
We have noticed that a number of Cisco appliances we have recently purchased and paid (AS NEW), are being shipped as if they have been already used/refurbished. In other words, several times we have seen brand new Cisco hardware, out of the box, that has pre-existing configuration (Interfaces with Private IP addresses, static routes, etc …) and in some cases even non-system files, like ‘crashdump.txt’ or additional IOS images. Most importantly our latest purchase; 2 'new' ASAs, contain a series of files named: FSCK0000.REC, FSCK0001.REC, FSCK0002.REC, etc ... . Based on some research it seems like that these files are 'recovery files' signaling bad/failing hard disks in these appliances.
Anyone on thhis group has seen this before and if yes, are we supposed to blindly trust the vendor saying the hardware is new, safe and secure?
The only way I can explain this is that the hardware has been refurbished or previously configured for reasons unknown to me. I think if customers pays for new hardware, they should get new hardware, even if refurbished hardware may be covered by Smartnet.
Any thoughts or recommendations anyone? The last thing we want to do is to deploy faulty (or non secure) security appliances in production.
If you are getting Cisco hardware with configs on it or crashfiles, etc. Then no it is NOT new equipment. Who are you buying from? Are they a Gold partner on Cisco's partner locator? If not, then I have seen some seedy things, and of course i have seen seedy things with Gold partners too, I am just pointing out that the ability to compete and make margin get more and more difficult the lower the partner is on the totem pole and so desperation can drive certain behavior.
In general from a cisco Gold partner you can expect as good as 35-40% or so on new equipment for a discount for regular deals. Special pricing for special projects you may be able to get a bit better, and maybe 1% or so better for general products from CDW or a big box company like them. If you are paying 50-60% off list for just individual items you order, then its likely not new and there is likely something shady going on, as no partner is going to get you some special discount pricing on a single 3845 for example.
All of your good gold partners are going to charge around the same give or take a few percent on material. So find someone you can trust and just build a relationship. If your paying new prices for used gear then yes you are getting ripped off.
I would be glad to recommend to you a reputable gold partner if you email me off list.
Don't deploy the equipment, demand a refund, and report the reseller to Cisco. I agree completely with Brian - find a good Cisco partner and stick with them. Also, you can't legally buy used Cisco equipment and use the operating system. You can buy the equipment but the OS is absolutely non-transferrable. If you try to get SMARTNet on it red flags will go up and Cisco won't support it.
Thanks,
Matt
Matt Adcock, Manager
334-481-6629 (w) / 334-312-5393 (m) / MAdcock@hisna.com
700 Hyundai Blvd. / Montgomery, AL 36105
P
The average office worker uses 10,000 sheets of paper = 1.2 trees, per year
By not printing this email, you’ve saved paper, ink and millions of trees
If you are getting Cisco hardware with configs on ... Then no it is NOT new equipment.
That is not entirely true. Many Cisco models arrive with a default configuration - private IP addresses and all. All the new Cisco ASA's I've seen were this way.
That is not entirely true. Many Cisco models arrive with a default configuration - private IP addresses and all. All the new Cisco ASA's I've seen were this way.
Ditto on that. Of about 12 ASA 5505s and 5510s I've deployed in the last year, only one didn't come with a private IP enabled and a public interface set to DHCP. The only one that didn't was running about a year behind in firmware, while the rest came pre-loaded with the latest.
Joe Johnson
Chief Information Officer
Riverside Consulting Group, Ltd.
joe@riversidecg.com
www.riversidecg.com
So if one were to purchase equipment, which is explicitly sold as
"Refurbished" from, say www.impulsetech.us and they were to offer Smartnet
on it, there is no guarantee that even if you paid for it, that Cisco would
fulfil their support contract?
According to previous conversations with my Cisco rep the answer is no - Cisco won't support it. I'm blind copying him on this and will pass on his response.
Thanks for the feedback. Let me clarify a few things regarding issues that this thread has addressed so far:
A) Pre-existing configs: What Tim and Joe mentioned is apparently correct. I was on phone with a few Cisco tech-reps earlier today and they told me that since version 8.2, they have been shipping ASAs with a default configuration, which explains the existence of private IP addresses on the inside interface, etc ... .
B) What Cisco reps could NOT explain was the existence of a number of FSCK000#.REC files on these appliances. To be more specific each of ASAs in question contains 4 extra files: FSCK0000.REC, FSCK0001.REC, FSCK0002.REC, FSCK0003.REC). I said 'extra' because I asked the Cisco reps on phone to provide me a complete list of files that should exist on a brand new ASA, and the 4 files above were not part of the list and I think even they got confused when I mentioned the existence of these files.
I could not find much info on these files, but a simple Google search indicates that these files may be 'recovery files' of Disks operating under Unix/Linux/BSD/etc /... kernel, indicating a dying hard drive. That would be enough to freak me out! Anyone can confirm this?
C) SmarNet issue: I am a little confused on this. Since this purchase was for NEW equipment, and the devices were shipped by Cisco (at least that is what I read on the box; a Cisco warehouse in TX), then my understanding is that the devices came with the first 12 months of Smarnet anyway. So I will be surprised if they decline the contract renewal after the first year. After all they sold us the appliances as if they were new. How can decline renewal if I can prove that I paid them for new?
D) Reseller: Yes, I appreciate the input. I will stick with a bigger name like CDW, next time, but again it appears to me that the devices were shipped from a Cisco warehouse in Texas, and not from the reseller's location.
I would greatly appreciate any input, especially on B)
I can confirm with absolute certainty that fcsk is a Unix utility for determining if a hard disk is failing and optionally attempting a recovery. I have never heard of such output files, though. How big are they? If they are tiny, they could just be status reports or a save of the program's output. If they are large, they may represent backups of the flash memory.
fsck is not just for failing hard drives. fsck is used any time you want to check a disk (may it be ssd, optical, magnetic) for any kind of errors or inconsistencies. It's a standard part of any UNIX toolkit.
On Linux systems with ext2/3, you'll see lost+found, which is where stuff ends up if it can't be connected to an actual file entry. Sounds exactly like what those FSCK files are - DOS used to do this with scandisk.
I'd guess (from a *nix-yness background) that the appliance is set up to
automatically fsck a disk if it's dirty - `dirtiness` can be caused by
thing like unexpected power cut as well as nasty things like hardware
troubles. Appliances are prone to "power pulls" as they are usually
headless.
Some "diskless" appliances don't even bother to check , somewhat
dismayingly.
Not sure what the exact fs is on those boxes - anyone happen to know? -
but from experience, I wouldn't be worrying too much (though I'd be very
curious of course).
A) Pre-existing configs: What Tim and Joe mentioned is apparently correct. I was on phone with a few Cisco tech-reps earlier today and they told me that since version 8.2, they have been shipping ASAs with a default configuration, which explains the existence of private IP addresses on the inside interface, etc ... .
The Pix 501 was like that too. It was usable "out of the box".
...
I could not find much info on these files, but a simple Google search indicates that these files may be 'recovery files' of Disks operating under Unix/Linux/BSD/etc /... kernel, indicating a dying hard drive. That would be enough to freak me out! Anyone can confirm this?
It's not a "disk", but a CF (256M in your case.) It's a DOS FAT filesystem. The underlying linux OS runs dosfsck on every boot. There are *lots* of reasons why it would find things to recover. It's not necessarily an indication of Badness(tm).
C) SmarNet issue: I am a little confused on this. Since this purchase was for NEW equipment, and the devices were shipped by Cisco (at least that is what I read on the box; a Cisco warehouse in TX)...
Not necessarily. I've seen a lot of boxes that appear to have come "direct" from Cisco, however, I know they came from a wholesaler's warehouse. (only one came direct from Cisco. from the factory in Malaysia.)
hmmmm. hmmmmmmmmmm. FAT. Ah well, there must be a reason I guess.
Not exactly what I'd choose for a high security snort box
But, horses for courses I suppose.
Yes, as others say, good idea to check the s/n's with Cisco directly.
You can _never_ be _too_ careful, both security-wise and financially.
It's not exactly a cheap piece of equipment, service contracts and
licences considered (and I don't mean the GPL one haha )
You can't rreally blame the frontline reps for not knowing what a fsck
is, its a new tech concept. Post-80's on fact. Oops, another boot-up un
in there, sorry.
Humour aside, in fairness, I'm not sure an average rep would know much
about QNX dumps either.
*nix-y stuff puts you very close to the hardware and architectures. You
see it all fly by in the logs and dmesg. Companies like cisco probably
like to keep you at arms length from it.
In this case you don't see the hardware so much but you "see" the bottom
line of the invoice. That gives you all the right in the world to ask
deep probing questions whenever you find things like this. A good
manufacturer and supplier will answer them fully, though it may take
some time to find the right clued-up tech internally.
eg: Until you use ZFS you'd never believe the error rates on seemingly
good hard drive systems, especially through "high-end" kit with
supposedly safe "error correction". What you don't see doesn't worry
you.
That's very true. They ship some out one door for Cisco and some out another door for gray/black market.
One other thing to note - the discounts shown on the Web site previously mentioned here are not that greater than the ones I know Cisco gives many companies. Is it really worth taking a chance with one of the most critical parts of your infrastructure to save 10% or 15%. In my industry (automotive) and I think in many others the answer is absoutely not.
Matt
Matt Adcock, Manager
334-481-6629 (w) / 334-312-5393 (m) / MAdcock@hisna.com
700 Hyundai Blvd. / Montgomery, AL 36105
P
The average office worker uses 10,000 sheets of paper = 1.2 trees, per year
By not printing this email, you’ve saved paper, ink and millions of trees
Thanks for the feedback. Let me clarify a few things regarding issues that this thread has addressed so far:
A) Pre-existing configs: What Tim and Joe mentioned is apparently correct. I was on phone with a few Cisco tech-reps earlier today and they told me that since version 8.2, they have been shipping ASAs with a default configuration, which explains the existence of private IP addresses on the inside interface, etc ... .
C) SmarNet issue: I am a little confused on this. Since this purchase was for NEW equipment, and the devices were shipped by Cisco (at least that is what I read on the box; a Cisco warehouse in TX), then my understanding is that the devices came with the first 12 months of Smarnet anyway. So I will be surprised if they decline the contract renewal after the first year. After all they sold us the appliances as if they were new. How can decline renewal if I can prove that I paid them for new?
Cisco devices don't "come" with SmartNet. They come with a manufacturer warranty which does not entitle you to the same support as smartnet (TAC support, software upgrades, 4 or 8 hour replacement, etc). You need to purchase SmartNet which is recommended.
D) Reseller: Yes, I appreciate the input. I will stick with a bigger name like CDW, next time, but again it appears to me that the devices were shipped from a Cisco warehouse in Texas, and not from the reseller's location.
Buying from CDW is not worth the extra 1% or whatever. What I meant was find a good partner that has account managers that are there for you, engineers you can lean on for pre-sales support, and treats you with customer service. That could be anyone, but you have to find these partners as not every company these days understands what customer service is. They will answer all these types of questions you posted here as well.
On most transactions, good reputable cisco partners are making about 3% on the front end. Most good partners make their money off services, and they hire highly trained engineers to deliver projects. Cisco hardware is like any other retail business, there is not deep margins. So trying to get 38% off from CDW vs. taking 37% off from the hometown team you can trust, meet face to face with, talk to the "boss" if you need to......its just not worth it.
This same thing holds true with network operators to some extent. Some of the best businesses to goto for good support, colocation, transit, etc. Are you mid tier guys with highly clued staff and the need to deliver good service in order to stay competitive.
